class RuboCop::Cop::GitlabSecurity::SqlInjection

Check for use of where(“name = '#{params}'”)

Passing user input to where() without parameterization can result in SQL Injection

@example

# bad
u = User.where("name = '#{params[:name]}'")

# good (parameters)
u = User.where("name = ? AND id = ?", params[:name], params[:id])
u = User.where(name: params[:name], id: params[:id])

Constants

MSG

Public Instance Methods

on_send(node) click to toggle source
# File lib/rubocop/cop/gitlab-security/sql_injection.rb, line 29
def on_send(node)
  return unless where_user_input?(node)
  return unless node.arguments.any? { |e| string_var_string?(e) }

  add_offense(node, location: :selector)
end